[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue# 2-Gateway Discovery

To: mcondell@xxxxxxx
Subject: Re: Issue# 2-Gateway Discovery
From: Yaron Sheffer <yaron.sheffer@xxxxxxxxxxxx>
Date: Mon, 21 Aug 2000 19:43:01 +0200
Cc: ipsec-policy <ipsec-policy@xxxxxxxx>
List-archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-id: <ipsec-policy.vpnc.org>
List-unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
Organization: RADGUARD
References: <>
Sender: owner-ipsec-policy@xxxxxxxxxxxxx

Hi Matthew,

your note below hints at another way to look at gateway/policy discovery.

I can see four major problems with path-based policy discovery:

1. Routing: the assumption that you can just send packets into another
security domain is typically incorrect. People use private (non-routable)
addresses as well as private DNS servers, exactly to defeat this
possibility. So tunneling is part of your addressing (routing), not just
part of your security.

2. Resiliency: routing can change at any time. But path negotiation fixes
it for the duration of the flow.

3. Scalability: the end-point (or end-points) need to deal with the
complexity of a long path with many gateways and many policies that need
to be resolved.

4. Security: I think it is not realistic to assume that people will let
policy discovery packets worm their way into their networks. Especially
in the cases when you have nested security domains (and nested gateways),
people are least likely to allow alien packets in.

Unfortunately I don't have a solution to offer. But a possible direction
would be a hierarchy of policy servers, where each is familiar with its
own domain and its local policies, and can locate other servers and
negotiate with them. Such negotiation can result in temporary agreements
to tunnel a certain flow in a certain way. A high-level server may need
to consult with a subordinate server when creating an agreement.

Thanks,
    Yaron

Matthew Condell wrote:

>
> >    4-During the course of discovery, who should
> >      learn the topology? The initiator? All gateways
> >      the discovery message traverses? Border gateways?
>
> I don't think each policy server should need to know more than the
> end-points of the communication and the policy server (or gateway)
> on either side of it.
>

begin:vcard 
n:Sheffer;Yaron
tel;cell:+972-51-628922
tel;work:+972-3-765-8922
x-mozilla-html:TRUE
url:www.radguard.com
org:Radguard
adr:;;Atidim Technology Park, Bdg #4;Tel Aviv;;61581;Israel
version:2.1
email;internet:yaron.sheffer@xxxxxxxxxxxx
title:Group Leader, Technologies
fn:Yaron Sheffer
end:vcard

Follow-Ups:
- Re: Issue# 2-Gateway Discovery
  - From: Angelos D. Keromytis

References:
- Re: Issue# 2-Gateway Discovery
  - From: Matthew Condell

Prev by Date: Re: IPSP topics
Next by Date: Re: Issue# 2-Gateway Discovery
Previous by thread: Re: Issue# 2-Gateway Discovery
Next by thread: Re: Issue# 2-Gateway Discovery
Index(es):
- Date
- Thread